magdev/wp-bootstrap
1
Fork 0
Code Issues Pull Requests Actions Releases 24 Activity

security: add |esc_url to all template URLs, register escape Twig filters (v1.1.3)
All checks were successful
Create Release Package / PHP Lint (push) Successful in 50s
Details
Create Release Package / PHPUnit Tests (push) Successful in 44s
Details
Create Release Package / Build Release (push) Successful in 2m17s
Details

Browse Source 
5th OWASP Top-10 pass: added |esc_url filter to all unescaped URL outputs
across 8 Twig template partials (headers, footers, search, comments).
Registered esc_html, esc_attr, esc_url as Twig filters with is_safe option.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Marco Grätsch
2026-03-07 10:34:41 +01:00
parent 02689f687f
commit 6c8526d2a5
10 changed files with 33 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
views/partials/header-offcanvas.html.twig
View File

@@ -1,7 +1,7 @@
<header>
<nav class="navbar navbar-expand-lg bg-body-tertiary" aria-label="{{ __('Primary navigation') }}">
<div class="container">
<a class="navbar-brand fw-bold" href="{{ site.url }}">
<a class="navbar-brand fw-bold" href="{{ site.url|esc_url }}">
{{ site.name }}
</a>
@@ -16,7 +16,7 @@
aria-labelledby="navbarOffcanvasLabel">
<div class="offcanvas-header">
{% if user.logged_in %}
<a href="{{ user.account_url }}" class="d-flex align-items-center text-decoration-none">
<a href="{{ user.account_url|esc_url }}" class="d-flex align-items-center text-decoration-none">
{{ user.avatar|raw }}
<span class="ms-2 fw-semibold">{{ user.display_name|esc_html }}</span>
</a>
@@ -32,7 +32,7 @@
{% if item.children|length > 0 %}
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle{{ item.active ? ' active' : '' }}"
href="{{ item.url }}" role="button"
href="{{ item.url|esc_url }}" role="button"
data-bs-toggle="dropdown" aria-expanded="false">
{{ item.title }}
</a>
@@ -40,7 +40,7 @@
{% for child in item.children %}
<li>
<a class="dropdown-item{{ child.active ? ' active' : '' }}"
href="{{ child.url }}"
href="{{ child.url|esc_url }}"
{% if child.active %}aria-current="page"{% endif %}
{% if child.target %}target="{{ child.target }}"{% endif %}>
{{ child.title }}
@@ -52,7 +52,7 @@
{% else %}
<li class="nav-item">
<a class="nav-link{{ item.active ? ' active' : '' }}"
href="{{ item.url }}"
href="{{ item.url|esc_url }}"
{% if item.active %}aria-current="page"{% endif %}
{% if item.target %}target="{{ item.target }}"{% endif %}>
{{ item.title }}